|
|
dca3ee |
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
|
|
|
dca3ee |
From: Tomas Mraz <tomas@openssl.org>
|
|
|
dca3ee |
Date: Tue, 26 Apr 2022 12:40:24 +0200
|
|
|
dca3ee |
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
|
|
|
dca3ee |
|
|
|
dca3ee |
Except on VMS where it is safe.
|
|
|
dca3ee |
|
|
|
dca3ee |
This fixes CVE-2022-1292.
|
|
|
dca3ee |
|
|
|
dca3ee |
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
|
|
|
dca3ee |
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
dca3ee |
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
|
|
|
dca3ee |
---
|
|
|
dca3ee |
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
|
|
|
dca3ee |
1 file changed, 25 insertions(+), 4 deletions(-)
|
|
|
dca3ee |
|
|
|
dca3ee |
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
|
|
dca3ee |
index fa7c6c9fef91..83c1cc80e08a 100644
|
|
|
dca3ee |
--- a/tools/c_rehash.in
|
|
|
dca3ee |
+++ b/tools/c_rehash.in
|
|
|
dca3ee |
@@ -152,6 +152,23 @@ sub check_file {
|
|
|
dca3ee |
return ($is_cert, $is_crl);
|
|
|
dca3ee |
}
|
|
|
dca3ee |
|
|
|
dca3ee |
+sub compute_hash {
|
|
|
dca3ee |
+ my $fh;
|
|
|
dca3ee |
+ if ( $^O eq "VMS" ) {
|
|
|
dca3ee |
+ # VMS uses the open through shell
|
|
|
dca3ee |
+ # The file names are safe there and list form is unsupported
|
|
|
dca3ee |
+ if (!open($fh, "-|", join(' ', @_))) {
|
|
|
dca3ee |
+ print STDERR "Cannot compute hash on '$fname'\n";
|
|
|
dca3ee |
+ return;
|
|
|
dca3ee |
+ }
|
|
|
dca3ee |
+ } else {
|
|
|
dca3ee |
+ if (!open($fh, "-|", @_)) {
|
|
|
dca3ee |
+ print STDERR "Cannot compute hash on '$fname'\n";
|
|
|
dca3ee |
+ return;
|
|
|
dca3ee |
+ }
|
|
|
dca3ee |
+ }
|
|
|
dca3ee |
+ return (<$fh>, <$fh>);
|
|
|
dca3ee |
+}
|
|
|
dca3ee |
|
|
|
dca3ee |
# Link a certificate to its subject name hash value, each hash is of
|
|
|
dca3ee |
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
|
|
dca3ee |
@@ -161,10 +178,12 @@ sub check_file {
|
|
|
dca3ee |
|
|
|
dca3ee |
sub link_hash_cert {
|
|
|
dca3ee |
my $fname = $_[0];
|
|
|
dca3ee |
- $fname =~ s/\"/\\\"/g;
|
|
|
dca3ee |
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
|
|
dca3ee |
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
|
|
dca3ee |
+ "-fingerprint", "-noout",
|
|
|
dca3ee |
+ "-in", $fname);
|
|
|
dca3ee |
chomp $hash;
|
|
|
dca3ee |
chomp $fprint;
|
|
|
dca3ee |
+ return if !$hash;
|
|
|
dca3ee |
$fprint =~ s/^.*=//;
|
|
|
dca3ee |
$fprint =~ tr/://d;
|
|
|
dca3ee |
my $suffix = 0;
|
|
|
dca3ee |
@@ -202,10 +221,12 @@ sub link_hash_cert {
|
|
|
dca3ee |
|
|
|
dca3ee |
sub link_hash_crl {
|
|
|
dca3ee |
my $fname = $_[0];
|
|
|
dca3ee |
- $fname =~ s/'/'\\''/g;
|
|
|
dca3ee |
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
|
|
dca3ee |
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
|
|
dca3ee |
+ "-fingerprint", "-noout",
|
|
|
dca3ee |
+ "-in", $fname);
|
|
|
dca3ee |
chomp $hash;
|
|
|
dca3ee |
chomp $fprint;
|
|
|
dca3ee |
+ return if !$hash;
|
|
|
dca3ee |
$fprint =~ s/^.*=//;
|
|
|
dca3ee |
$fprint =~ tr/://d;
|
|
|
dca3ee |
my $suffix = 0;
|